Dex Device Flow requires client_secret which is not RFC8628 compliant #3983
Comments
@devoxel could you help me please, I didn't get the idea. Why it is not possible to use public clients? Which activity should be restricted? I also would like to know what is your client configuration in dex. Did you set the empty password for a non-public client? |
|
It is possible to use public clients. But the issue is that RFC compliant clients will not send the client secret. An example is github.com/cli/oauth. I created a reproduction to be more obvious: https://github.com/devoxel/example-deviceflow-issue and used a fork of oauth to show that it works when you present a client secret. I realised while doing this repo, it is possible to use these RFC compliant clients if you set your client secret to "". |
Preflight Checklist
Expected Behavior
When handling a Device Authorization Grant, a RFC8628-compliant client will not send the client secret.
Actual Behavior
If you don't provide a secret, you get an "Invalid client credentials" error. See server/deviceflowhandlers.go#L74.
Steps To Reproduce
Use an RFC8628 compliant client, or just set your client-secret in your client to an empty string.
Additional Information
Dex does have the ability to use "public: true" on clients, which restricts some activity. However, there should be no need to include client secret credentials in clients, so if somebody does not know that they need to configure their client as public, they could end up leaking credentials.
The only reason to tangible security reason to include the secret is if somebody is using Device Flow in a situation where their secret is actually secret. But in that case, they have no reason to be using this flow in the first place.
The text was updated successfully, but these errors were encountered: